Hack a Day » mifare

Live CD for RFID hacking on the go

Mike Nathan — Sat, 09 Jul 2011 20:04:45 +0000

[Milosch] wrote in to tell us that he has recently released a bootable RFID live hacking system – something he has been diligently working on for quite some time. The live distro can be used for breaking and analyzing MIFARE RFID cards, as well as a reasonable selection of other well-known card formats. The release is based off the Fedora 15 live desktop system, and includes a long list of RFID hacking tools, as well as some applications that allow for NFC tag emulation.

His toolkit also contains a baudline-based LF RFID sniffer package, allowing for a real-time waveform display of low frequency RFID tags. The LF sniffer makes use of a cheap USB sound card, as well as a relatively simple reader constructed from a handful of easy to find components.

We have seen some of [Milosch’s] handiwork before, so we are fairly confident that his toolkit contains just about everything you need to start sniffing and hacking RFID tags. If you’re interested in grabbing a copy of the ISO, just be aware that the live CD is only compatible with 64-bit systems, so older laptops need not apply.

Filed under: security hacks

RFID reader for iPhone

Mike Szczys — Sun, 14 Mar 2010 18:34:13 +0000

[Benjamin Blundell] built an RFID reader for the iPhone. A jailbroken iPhone connects to this project box by patching into a standard iPhone USB cable. Like in past iPhone serial projects, [Benjamin] is using openFrameworks for the software interface. Right now this reader only detects low-frequency tags but he’s working on the code to read MIFARE tags as well. See the magic of a tag ID displayed on the screen in the video after the break.

[Thanks Andrew via Recombu]

Filed under: iphone hacks

ShmooCon 2009: Chris Paget’s RFID cloning talk

Eliot — Tue, 17 Feb 2009 02:36:48 +0000

When we first saw [Chris Paget]‘s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.

The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.

The Passport Card also uses RFID… but not the same technology as e-passports that have been issued world wide. You’re probably familiar with 125KHz access control cards and 13.56MHz smartcards, MiFare tags, and e-passports. These are all inductively coupled technologies. The RFID used in Passport Cards is in the 900MHz band and is a capacitive technology. It’s EPC Class 1 Generation 2, the same sort of technology used to track goods in warehouses. Each EPC has a 96bit ID number. By design, they have to be readable from a minimum of 30 feet.

To start his research, [Chris] purchased an XR400 RFID reader of off eBay. This is an industrial reader with four antenna ports and Windows CE. He got a great deal… because it didn’t work. He guessed that the ball grid array (BGA) solder joints had cracked. Putting enough pressure on the chips allowed the device to boot. He repaired the board using a heat gun to reflow the solder. He referenced this video of an Xbox 360 being repaired with the same technique. [bunnie] has a post from last year investigating Xbox 360 RRODs and possible BGA failures.

900MHz RFID cards are not inductively coupled to the reader, so their read range is not limited by the wavelength. With a HAM license in the US, you can broadcast with up to 1500W. At Defcon this year, [Chris] plans on going for a new read record. He cited the company ThingMagic using 10W into a 12dbi antenna and getting 100% read reliability from 213ft. The theoretical limit for 1500W through a 18dBi antenna is 2.35 miles; you’d be limited by how far the tag can transmit though. He’s set up the site RFIDHackers.com to help coordinate efforts.

Another future project is using the GNU Radio USRP board to do differential power analysis against the Passport Card. It’s a brute force method for extracting the 32bit kill and lock codes for the tags, which could then be used to deactivate cards.

The goal of [Chris]‘ research from the beginning was to show that RFID is unsuitable for security situations like this. Passport Cards assign a unique identifier to each holder. This ID can be read from a distance and coordinated with the holders other RFID items like their credit card. Any party can track someone holding these cards, and they don’t make border crossings any faster, since the cards still have to be checked in person.

The USA is now tracking its residents with the same respect given to items in Walmart.

Posted in cons, security hacks, wireless hacks

MBTA drops lawsuit against MIT subway hackers

Eliot — Tue, 23 Dec 2008 16:00:24 +0000

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.

Posted in news, security hacks, transportation hacks

Reverse engineering silicon logic

Eliot — Sun, 14 Sep 2008 03:16:57 +0000

[Karsten Nohl] has recently joined the team on Flylogic’s blog. You may remember him as part of the team that reverse engineered the crypto in MiFare RFID chips. In his first post, he starts out with the basics of identifying logic cells. By studying the specific layout of the transistors you can reproduce the actual logic functions of the chip. The end of post holds a challenge for next week (pictured above). It has 34 transistors, 3 inputs, 2 outputs, and time variant behavior. Also, check out the Silicon Zoo which catalogs individual logic cells for identification.

Subway hacker speaks

Eliot — Mon, 25 Aug 2008 04:30:00 +0000

Popular Mechanics has an interview with [Zach Anderson], one of the MIT hackers that was temporarily gagged by the MBTA. The interview is essentially a timeline of the events that led up to the Defcon talk cancellation. [Zach] pointed out a great article by The Tech that covers the vulnerabilities. The mag stripe cards can be easily cloned. The students we’re also able to increase the value of the card by brute forcing the checksum. There are only 64 possible checksum values, so they made a card for each one. It’s not graceful, but it works. The card values aren’t encrypted and there isn’t an auditing system to check what values should be on the card either. The RFID cards use Mifare classic, which we know is broken. It was NXP, Mifare’s manufacturer, that tipped off the MBTA on the actual presentation.

25C3: Nothing to hide announced

Eliot — Sun, 17 Aug 2008 05:30:00 +0000

Germany’s Chaos Computer Club has announced the theme for their annual Chaos Communication Congress: “Nothing to hide“. Like last year’s “Full steam ahead!“, it’s open to many interpretations. People striking down privacy laws often say citizens shouldn’t mind since they have “Nothing to hide”. The phrase is also connected to the inability to hide data, as the CCC demonstrated this year by publishing the German Home Secretary’s fingerprint. On a more positive side, “Nothing to hide” is also about the free exchange of information that happens at hacker conventions. The Congress is in its 25th year and promises to be as good as ever. At last year’s 24C3, we saw great talks like [Drew Endy]‘s biohacking talk and the original MiFare crypto presentation. 25C3 will be held in Berlin December 27th to 30th. The wiki is already up and they’ve published a call for participation, if you’re interested.

24C3 Mifare crypto1 RFID completely broken

Eliot — Tue, 01 Jan 2008 17:56:00 +0000

Another highlight for us at CCC was [Karsten Nohl] and [Henryk Plötz] presenting how they reversed Philips crypto-1 “classic” Mifare RFID chips which are used in car keys, among other things. They analyzed both the silicon and the actual handshaking over RF. Looking at the silicon they found about 10K gates. Analyzing with Matlab turned up 70 unique functions. Then they started looking “crypto-like” parts: long strings of flip-flops used for registers, XORs, things near the edge that were heavily interconnected. Only 10% of the gates ended up being crypto. They now know the crypto algorithm based on this analysis and will be releasing later in the year.

The random number generator ended up being only 16-bit. It generates this number based on how long since the card has been powered up. They controlled the reader (an OpenPCD) which lets them generate the same “random” seed number over and over again. This was actually happening on accident before they discovered the flaw.

One more broken security-through-obscurity system to add to the list. For more fun, watch the video of the presentation.